Ransomware Rising

A relatively new form of malware may be starting to gain popularity among virus writers and Internet scam artists. Known as "ransomware," this type of malicious code invariably tries to seize control over the victim's files or computer until that person agrees to the attackers' demands, usually by transferring funds to the attackers through some form of online currency such as eGold or Webmoney.

Now, security experts have spotted a new twist in the ransomware scam: malware which demands that the victim purchase a certain amount of pharmaceutical drugs from a Russian online pharmacy in order to retrieve files that have been taken hostage.

Malware analysts at Chicago-based LURHQ Corp. last week published a write-up on a piece of ransomware dubbed "Archiveus," which copies all of the files in the victim's "My Documents" folder to a new folder and then it scrambles them with an encryption program protected by a 30-character password. The original documents are then deleted.

A ransom note text file that accompanies Archiveus says victims can obtain a password to decrypt the file folder if they purchase anything from one of several online Russian pharmacies.

LURHQ said it didn't know how the bad guys were getting Archiveus onto victim machines, but the ransom note chides victims that they infected their machines by "viewing illegal porn sites." Most likely, ransomware like Archiveus lands on victims' PCs via "drive-by" downloads that exploit security flaws in Internet Explorer when the user visits a malicious Web site.

The company said portions of the ransom note appear to have been lifted from the note that accompanied a piece of ransomware called "Cryzip" that first surfaced in March. This particular ploy sounds a lot like another ruse I blogged about last month.

Russian antivirus firm Kaspersky Lab has been for the past year or so chronicling the emergence of various ransomware threats. In a post last month, Kaspersky examined a relatively benign form of ransomware that used the mere threat of destroying the would-be victim's files as a means of extracting payment.

Identified as Ransom.A by several anti-virus firms, it claims that it will destroy one of the victim's files every 30 minutes until he or she agrees to wire the attackers $10.99 via Western Union to obtain a special "unlock code." The ransom demand tries very hard to remain at all times on top of any other program windows on the user's machine, and in an apparent attempt to embarrass the victim into complying, Ransom.A also intermittently pops up pornographic images.

But here's the catch: The whole thing is a bluff. The malware itself is not programmed to delete or encrypt anything. Still, according to Kaspersky, such empty threats are likely to trick at least some victims, in part because it may be next to impossible for most victims to tell whether any files are missing. "How is an average user going to check if all of his files are still there? He's not. Losing a file every 30 minutes is a scary thought, made up by the criminal in an effort to pressure the user to act quickly and pay up."

These two attacks are somewhat amateurish and not wholly representative of the potential threat from ransomware. In both cases, the key to unlocking the files being held hostage resides on the victim's machine, buried somewhere in the ransomeware file itself. But according to Kaspersky, ransomware authors made a major leap forward in 2006 by using one of the best known and most secure public encryption systems, RSA.

While ransomware attacks that employed RSA encryption used an older 56-bit key (which has known, documented and crackable flaws), Kaspersky warns that "holding user data hostage is one of the most dangerous and rapidly evolving types of cyber crime." When the bad guys start adopting, say ... 256-bit RSA encryption and picking up on other methods such as those described by cryptology expert Bruce Schneier, the ransomware game will become a lot more dangerous.

It would be hard to find an online threat that more clearly demonstrates the virtues of regularly backing up important system files and documents. Microsoft XP users can take advantage of the files-and-settings-backup feature, but this is far from a perfect or complete solution. PC Magazine has a decent review of another free Windows backup tool, WinBackup. There are also dozens of commercial software titles that offer full-featured, automated data backups. Cnet has a (somewhat dated) comparison of a few commercial backup products.

So, has anyone found a good fix for these? I just got one myself. Only use Firefox, Mcafee Pro 8.0 always updated....I can't shell out $300 for my files back! Tried some .zip password cracker but there is no way it will break a 30 digit password.

This just seems like a threat that's existed since computers began, dressed up for the da vinci code crypto ignorant public.

As ever, it'll help sell a few more snake oil av products perhaps - Think of the buzzwords you can add to the av software now. Program the av software to backup the files the viruses you detect would delete and then put up a pretty "Analysing crypto hash...evaluating bit sequences...CODE DETECTED!!!" before you restore them.

A $5 backup program with "crypto" in the title might sell for $199 :) Put a picture of Mona Lisa on it.

The rest of us can just backup our data regulary.

If you don't do backups, every disk manufacturer on the planet happily prints on the specs of their product that no matter what you pay, or what you do, their product will destroy your data one day, and that didn't work.